model synthesis new challenges in model based design rajeev alur
TRANSCRIPT
1
Model Synthesis
New Challenges in Model Based Design
Rajeev Alur
Medical CPS NSF Site Visit, Jan 2012
University of Pennsylvania
Software: Key to Embedded Revolution
Software Inside!
Software New features, Automation, Customization
Software Bugs, Unpredictability, Recalls
2
Prius Brake Problems Blamed on Software Glitches
“Toyota officials described the problem as a "disconnect" in the vehicle's complex anti-lock brake system (ABS) that causes less than a one-second lag. With the delay, a vehicle going 60 mph will have traveled nearly another 90 feet before the brakes begin to take hold” (source: CNN Feb 4, 2010)
Embedded Computation
q Typical embedded program: cruise control Loop
Read the sensors; Compute speed; Compute pressure for brake pedal / accelerator; Transmit the outputs to actuators;
q Program has (non-terminating) interaction with the outside world: Reactive computation
q Correctness depends on real-time response (does the car brake fast enough?)
q Analysis of correctness requires modeling of the dynamics of the car
3
State machines
off on
+ Dynamical systems
dx/dt = kx x<70
dx/dt = -k’x x>60
x>68
x<63
Automotive Robotics Systems Biology
Coordination Protocols
Computer Science § Automata/Logic
§ Concurrency § Formal verification + Control Theory § Optimal control § Stability analysis § Discrete-event system Software + Environment
Hybrid Systems
Medical Devices
Model Based Design for Embedded Software
Programming/Modeling Language Based on Hybrid Automata
Libraries in Base Language Platform Description
Design and Analysis Tools Simulation, Verification, Optimization
Formal Specification Environment Model
Performance Metrics
Executable Code on Embedded Processor
Compiler + Scheduler
Can we formally prove safety properties of models?
Can we infer properties of code from properties of models?
4
Medical Devices
q From 1985-2005, nearly 30,000 deaths and 600,000 injuries from device failures q From 1996-2006, the percentage of software-related causes in medical device recalls have grown from 10% to 21% (Complexity↑ → Potential safety violations↑) q There is currently no well-established standards for development of software for medical devices
Model-based Pacemaker Software Design
Verification
Simulation
Testing
Heart Pacemaker
UPPAAL Model
Simulink Model
Pacemaker Implementation
Random Heart Model
Virtual Heart Model
Heart Model Implementation
Interface
Interface
Interface
Interface
5
Model Verification
Verification
Simulation
Testing
Heart Pacemaker
UPPAAL Model
Simulink Model
Pacemaker Implementation
Random Heart Model
Virtual Heart Model
Heart Model Implementation
Interface
Interface
Interface
Interface
UPPAAL: A tool for verification of network of Timed-automata
Jiang, Pajic, Moarref, Alur, Mangharam, TACAS 2012
Model Simulation
Verification
Simulation
Testing
Heart Pacemaker
UPPAAL Model
Simulink Model
Pacemaker Implementation
Random Heart Model
Virtual Heart Model
Heart Model Implementation
Interface
Interface
Interface
Interface
Timing-based heart model and interface in Simulink
Jiang, Pajic, Mangharam, ICCPS, Proc. IEEE, 2011
6
Model Translation and Implementation
Verification
Simulation
Testing
Heart Pacemaker
UPPAAL Model
Simulink Model
Pacemaker Implementation
Random Heart Model
Virtual Heart Model
Heart Model Implementation
Interface
Interface
Interface
Interface
Pajic, Jiang, Lee, Mangharam, Sokolsky, RTAS 2012
Implantable Pacemaker Modeling
7
Uppaal Model of Dual Chamber Pacemaker
Summary of Verification Results
q Modeled and verified a dual chamber pacemaker and additional advanced functions
q Showed that adding new functions to the pacemaker may result in safety violations
q Showed that more detailed heart model is needed for more advanced safety requirements
8
New Challenges: Model Synthesis
1. Can we extract (controller) models from code?
2. Can we extract (plant) models from data?
3. Can we use analysis/verification technology to assist the designer to construct models?
1. From Code to Models
q What if pacemaker software is not developed using MBD " How to verify / certify code for pacemaker software
q Potential solution: Extract EFSM (Extended finite-state-machine) models from code
q Starting point: Predicate abstraction used for software verification " Challenges: Extract timing properties
9
Model Checking of C code
Phase 1: Given a program P, build an abstract finite-state (Boolean) model A such that set of behaviors of P is a subset of those of A (conservative abstraction)
Phase 2: Model check A wrt specification: this can prove P to be correct, or reveal a bug in P, or suggest inadequacy of A
" Shown to be effective on
Windows device drivers in Microsoft Research project SLAM
do{ KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){
request = request->Next; KeReleaseSpinLock(); nPackets++;
} }while(nPackets!= nPacketsOld); KeReleaseSpinLock();
Do lock operations, acquire and release, strictly alternate on every
program execution?
2. From Data to Models
q What’s a good model of heart for verifying correctness requirements of pacemaker software? " Ideally, model should be patient specific
q Potential solution: Extract timed/hybrid automata models for ECG data for a patient
q Computational challenge: Can we develop suitable learning algorithms ? " Background: L* algorithm for learning DFA " Background: Learning linear constraints among variables
10
3. Assisting Designers in Model Construction
q How can computational tools assist designers? " Maturing verification technology, fast constraint solvers " Enormous computational power available
q Goal: Allow designer to express “model under construction” using multiple, intuitive formats " Synthesis tool can integrate different formats, interactively with
designer to produce desired model " EFSMs + Example scenarios + High-level requirements
q Inspiration: Emerging research in software synthesis
Sketch: Program completion Ref: Chaudhuri, Solar-Lezama (PLDI 2010)
Err = 0.0; for(t = 0; t<T; t+=dT){ if(stage==STRAIGHT){ if(t > ??) stage= INTURN; } if(stage==INTURN){ car.ang = car.ang - ??; if(t > ??) stage= OUTTURN; } if(stage==OUTTURN){ car.ang = car.ang + ??; if(t > ??) break; } simulate_car(car); Err += check_collision(car); } Err += check_destination(car);
Backup straight
Straighten
Turn
When to start turning?
How much to turn?
Enables programmers to focus on high-level solution strategy
11
Conclusions
q Model based design (MBD) is a promising approach to design of embedded software
q Over the past year, research at Penn has demonstrated benefits of MBD for rigorous design of pacemaker software
q Synthesis has the potential to transform the way a designer can employ MBD